Home > Cisco > Router > Cisco Router 860, 880 Series User Manual

Cisco Router 860, 880 Series User Manual

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Router 860, 880 Series User Manual. The Cisco manuals for Router are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 101

    Page 101 6-7 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN For more information about IPSec and GRE configuration, see the “Configuring Security for VPNs with IPSec” chapter of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html. Configuration Examples Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a VPN over an IPSec... 
     
6-7
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
For more information about IPSec and GRE configuration, see the “Configuring Security for VPNs with 
IPSec” chapter of the Cisco IOS Release 12.4T Security Configuration Guide at 
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html.
Configuration Examples
Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a 
VPN over an IPSec...

    Page 102

    Page 102 6-8 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Configure Group Policy Information To configure the group policy, perform these steps, beginning in global configuration mode: Command or ActionPurpose Step 1crypto isakmp policy priority Example: Router(config)# crypto isakmp policy 1Router(config-isakmp)# Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest. Also enters the Internet... 
     
6-8
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Configure Group Policy Information
To configure the group policy, perform these steps, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy priority 
Example:
Router(config)# crypto isakmp policy 1Router(config-isakmp)# 
Creates an IKE policy that is used during IKE 
negotiation. The priority is a number from 1 to 
10000, with 1 being the highest.
Also enters the Internet...

    Page 103

    Page 103 6-9 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Apply Mode Configuration to the Crypto Map To apply mode configuration to the crypto map, perform these steps, beginning in global configuration mode: Command or ActionPurpose Step 1crypto isakmp client configuration group {group-name | default} Example: Router(config)# crypto isakmp client configuration group rtr-remote Router(config-isakmp-group)# Creates an IKE policy group containing attributes to be... 
     
6-9
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Apply Mode Configuration to the Crypto Map
To apply mode configuration to the crypto map, perform these steps, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto isakmp client configuration group 
{group-name | default}
Example:
Router(config)# crypto isakmp client 
configuration group rtr-remote
Router(config-isakmp-group)# 
Creates an IKE policy group containing attributes 
to be...

    Page 104

    Page 104 6-10 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Enable Policy Lookup To enable policy lookup through AAA, perform these steps, beginning in global configuration mode: Command or ActionPurpose Step 1crypto map map-name isakmp authorization list list-name Example: Router(config)# crypto map dynmap isakmp authorization list rtr-remote Router(config)# Applies mode configuration to the crypto map and enables key lookup (IKE queries) for the group policy from... 
     
6-10
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Enable Policy Lookup
To enable policy lookup through AAA, perform these steps, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto map map-name isakmp authorization list 
list-name
Example:
Router(config)# crypto map dynmap isakmp 
authorization list rtr-remote
Router(config)# 
Applies mode configuration to the crypto map and 
enables key lookup (IKE queries) for the group 
policy from...

    Page 105

    Page 105 6-11 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Configure IPSec Transforms and Protocols A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow. During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When a transform set is found that contains such a transform, it is... 
     
6-11
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Configure IPSec Transforms and Protocols
A transform set represents a certain combination of security protocols and algorithms. During IKE 
negotiation, the peers agree to use a particular transform set for protecting data flow. 
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at 
both peers. When a transform set is found that contains such a transform, it is...

    Page 106

    Page 106 6-12 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Configure the IPSec Crypto Method and Parameters A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address). To configure the IPSec crypto method, perform these steps, beginning in global configuration mode: Step 2crypto ipsec transform-set transform-set-name transform1... 
     
6-12
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Configure the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes negotiation requests for new security associations from remote 
IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).
To configure the IPSec crypto method, perform these steps, beginning in global configuration mode:
Step 2crypto ipsec transform-set transform-set-name 
transform1...

    Page 107

    Page 107 6-13 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Apply the Crypto Map to the Physical Interface The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the... 
     
6-13
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Apply the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the 
crypto map to the physical interface instructs the router to evaluate all the traffic against the security 
associations database. With the default configurations, the router provides secure connectivity by 
encrypting the traffic sent between remote sites. However, the...

    Page 108

    Page 108 6-14 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN If you are creating a site-to-site VPN using IPSec tunnels and GRE, go to the “Configure a Site-to-Site GRE Tunnel” section on page 6-16. Create a Cisco Easy VPN Remote Configuration The router acting as the Cisco Easy VPN client must create a Cisco Easy VPN remote configuration and assign it to the outgoing interface. To create the remote configuration, perform these steps, beginning in global configuration... 
     
6-14
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
If you are creating a site-to-site VPN using IPSec tunnels and GRE, go to the “Configure a Site-to-Site 
GRE Tunnel” section on page 6-16.
Create a Cisco Easy VPN Remote Configuration
The router acting as the Cisco Easy VPN client must create a Cisco Easy VPN remote configuration and 
assign it to the outgoing interface. 
To create the remote configuration, perform these steps, beginning in global configuration...

    Page 109

    Page 109 6-15 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Configuration Example The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter. ! aaa new-model !aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common! username Cisco password 0 Cisco !crypto isakmp policy 1 encryption 3des authentication pre-sharegroup 2 lifetime 480 !crypto isakmp... 
     
6-15
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
Configuration Example
The following configuration example shows a portion of the configuration file for the VPN and IPSec 
tunnel described in this chapter.
!
aaa new-model
!aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
aaa session-id common!
username Cisco password 0 Cisco
!crypto isakmp policy 1
encryption 3des
authentication pre-sharegroup 2
lifetime 480
!crypto isakmp...

    Page 110

    Page 110 6-16 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN crypto ipsec security-association lifetime seconds 86400! crypto dynamic-map dynmap 1 set transform-set vpn1reverse-route ! crypto map static-map 1 ipsec-isakmp dynamic dynmapcrypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-passwordmode client peer 192.168.100.1 ! interface... 
     
6-16
Book Title
OL-xxxxx-xx
Chapter 6      Configuring Security Features
  Configuring VPN
crypto ipsec security-association lifetime seconds 86400!
crypto dynamic-map dynmap 1
set transform-set vpn1reverse-route
!
crypto map static-map 1 ipsec-isakmp dynamic dynmapcrypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
crypto ipsec client ezvpn ezvpnclient
connect auto
group 2 key secret-passwordmode client
peer 192.168.100.1
!
interface...
    Start reading Cisco Router 860, 880 Series User Manual

    Related Manuals for Cisco Router 860, 880 Series User Manual

    All Cisco manuals